IE Arbitraty Code Exploit proven harmful

[zigar]

In February, security group GreyMagic Software posted a new advisory
<http://security.greymagic.com/adv/gm001-ie/> correcting some
details in thePull's original post. They also detailed a new method
of exploiting this vulnerability without using ActiveScripting or
ActiveX. In other words, hackers can exploit this flaw with simple
HTML code. This greatly increased the scope of the vulnerability,
because disabling ActiveScripting and ActiveX no longer prevented
the attack. GreyMagic found that IE 5.5 was susceptible as well.
However, since the hacker could still start an application but not
use it, the vulnerability was considered more an irritation than a
damaging attack.


Yesterday, this vulnerability was proven harmful in an article
<http://www.newsbytes.com/news/02/175185.html>from Newsbytes. The
article mentions two unusual applications that ship with Windows XP.
Logoff.exe installs by default in XP and, when activated, forces the
current user to log off the system. Shutdown.exe does not install by
default but is shipped with XP; when activated, it forces your
machine to shut down. When either of these applications execute, you
lose any unsaved data. These programs are also in the Windows NT and
2000 Resource Kit. Thus, NT and 2000 administrators who have
installed these from the Resource Kit and use IE are also affected.


Now that the exploit code for this vulnerability and the connection
with shutdown.exe has been aired publicly, this attack is readily
feasible for any script kiddie. A hacker could create a Web page
that specifically targets the Logoff.exe application present in
Window XP by default. If you were enticed to visit the site, your
machine would automatically shut down. The attacker could achieve
the same results if you use Outlook or Outlook Express to open a
specially-crafted HTML e-mail he sent you.


Note that the vulnerability consists of someone being able to
remotely execute any program that resides on your machine.
Logoff.exe and shutdown.exe are the only known exploits thus far
(who cares if a hacker manages to remotely trigger Minesweeper on
your PCs?), but it would be typical of the hacker community to
figure out other damaging exploits in the future.



SOLUTION PATH:


Microsoft has not yet officially responded to this vulnerability,
and there is no patch or workaround available yet. However, without
logoff.exe and shutdown.exe, the only known exploits become
unworkable. You could remove or rename these applications on your XP
machines to help avoid a damaging attack from this vulnerability.
Keep in mind, doing that would also break any legitimate script or
program that used those applications. We recommend that you verify
these applications are not installed on your NT or 2000 machines,
either.


Many antiviral vendors, like McAfee and Symantec, have updated their
products to detect this attack and notify you; however, they do not
prevent it.

[ac1dsp3ctrum]

Good post xigar.... I use IE with Win2k, but no resource pack So im safe... For now

[lkennedy.guru]

good post man. I wonder how long it is going to take m$ to post a fix. Probibly about as much time as it will take to find a nother expoit.

[zigar]

one thing which hasn't been mentioned in the threads about this exploid ( )...
is that this would be much more difficult if not impossible to use if people would follow the following simple rule...

never install a windows system, especially nt, 2k or xp to the default winnt directory...if you install it to c:\BobsYerOperatingSystem or c:\noodles, this kind of exploiD, and many others don't work, since they rely on knowing what directory, specifically c:\winnt, your os files are sitting in...name it anything else and your pretty much safe from this kind of thing...

unfortunately, most of the machines i deal with have 2k preinstalled by dell ...so i'm stuck..

i've used a prog called COA to move progs with registry entries to different drives...and it works very nicely...but there's no way to move the os directory that i know of...anyone know different???

[Terr]

This is the reason I'm using Opera and Eudora, even though they are both ad-ware. I just like how the companies approached the problem too, they're very... frank, about that they need the ads to pay for their programming, and they don't get all secretive when you ask what personal information is collected, etc...

I do not trust Microsoft much.

[Pooh-Bear]

**previous posting censored on the ground of stupidity and alcohol**

My apologies zigar, just read the first lines..

[zigar]

ummm..pooh bear...i appreciate the lecture on posting ettiquette...but if you'd read the post...this is NEW...

Yesterday, (that would be wednesday March13, 2002) this vulnerability was proven harmful...

the original thread...was followed by THIS which proved that the exploit could be run even without activex....

the previous 2 threads were proof of concept...this thread..proves that you can potentially harm someones system with the exploit...

which is what i titled it...and why i started a new thread...

[zigar]

This is the reason I'm using Opera and Eudora,

A note to all Eudora users who, like myself, thought they were not at risk...the default configuration of eudora uses IE as the html rendering engine...and as such, eudora IS vulnerable to this exploit...

however, you can go to tools/options/viewing mail and uncheck Use Microsoft Viewer...this will force eudora to use it's built in renderer and may prevent this exploit...i haven't tested it tho...